Currently, storing API keys in plain text (or without a hashing layer) poses a significant security risk. If the database is compromised, all user API keys would be exposed. We need to implement a one-way hashing mechanism so that we only store the "fingerprint" of the key, not the key itself.
Logic Implementation (ApikeyService):
The service must handle two primary flows:
Generation: Create a random 32-byte key, hash it using sha256, and store only the hash. Return the raw key to the user once.
Validation: Take a raw key from a request header, hash it, and query the database for a matching hash.
Currently, storing API keys in plain text (or without a hashing layer) poses a significant security risk. If the database is compromised, all user API keys would be exposed. We need to implement a one-way hashing mechanism so that we only store the "fingerprint" of the key, not the key itself.
Logic Implementation (ApikeyService):
The service must handle two primary flows:
Generation: Create a random 32-byte key, hash it using sha256, and store only the hash. Return the raw key to the user once.
Validation: Take a raw key from a request header, hash it, and query the database for a matching hash.